Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

User with access to single project is seeing other projects

Jennifer Osborn
Jennifer Osborn
Contributor
April 6, 2020

I have a new contractor starting this week.  They are to have access to only 1 project in JIRA.  

The issue, is that they are seeing 4 other projects in addition to the one I want them to see.  I can't seem to figure out why this is.  We have a lot of JIRA projects, so I'm finding it odd that there are 4 oddities showing up.   For troubleshooting sake, we'll just look at one oddball project (if I get this sorted, I think I can figure out the rest!).  

The user is a member of 1 group:  ext-project-only

The group has the following global permissions:  Browse Users

The group has the following application access:  JIRA service desk, JIRA software, JIRA Core

The project I don't want the user to see (we'll call it OOPS), has limited access already.  The users, developers, admin roles have limited membership of individuals only (like 5 people).  There are no groups being added to a role in the OOPS project.

The OOPS project it's own permission scheme.  It too is fairly locked down.  All permissions are granted to either users, developers or administrator roles. EXCEPT for one custom field value., "EE Manager"  which is a user-picker field.  EE Manager is included in the "Browse Projects" permission scheme.

When using the permission helper, the status for the user states "user does not have the "browse projects" permission.  There is also a red X  status for the Project role (user is not a member of any of these project roles), and a red X for the User Custom Field Value (user is not listed in the EE Manager Field).  

However, the summary section shows a green checkmark status for "JIRA service desk does not override this permission."  My understanding is that JIRA service desk application permissions do not override the "browse projects" permissions (which are showing as a red X/No). 

Why do you think the user is able to browse to the project?  Note, they can't see any issues within the project (phew), but I'd like to make the entire project not appear on the list. 

Thanks!  I'm stumped and probably have looking disease from trying to figure this out today!

 

 

 

Answer
Watch
Like Be the first to like this
1629 views

3 answers

1 vote
Jennifer Osborn
Jennifer Osborn
Contributor
April 6, 2020

So I think I found the answer.  I did some trial and error, and have found the "EE Manager" custom field to be the issue. 

First, I removed the group from the JIRA Service Desk application access to see if it made a difference.  It didn't. 

Then, I removed the "EE Manager" field from the Browse Project permission in the permission scheme.  Voila, the project is no longer visible to this user.  

Apparently, if the custom field is a "user picker" field, because anyone could be in that field, anyone could potentially have access to the project. Fortunately the security scheme prohibits the issues from being visible.  I see this as a potentially large security hole.  

Yikes. Glad I figured it out, but bummed that we either lose functionality with the project, or just accept that anyone with access to our JIRA server can see a potentially sensitive project exists. 

View More Comments
Kristján Geir Mathiesen
Kristján Geir Mathiesen
Community Champion
April 6, 2020

Glad you figured it out! :)

Like
Reply
Reply
0 votes
Kristján Geir Mathiesen
Kristján Geir Mathiesen
Community Champion
April 6, 2020

Hi @Jennifer Osborn 

I guess you don't happen to have "Reporter" in your "Browse Project" permission on these 4 projects?

Did you expand the Permisson Helper window to see all the failed results? 

HTH,
KGM

View More Comments
Jennifer Osborn
Jennifer Osborn
Contributor
April 6, 2020

Hi KGM! 

There's no "Reporter" in the Browse Project permission.  For the OOPS project, it's User, Developer, Admin & EE Manager.  (and each role has 5 individual people in it, no groups)

For the permission helper, in addition to the "user does not have Browse Projects permission" red X, there are the following when expanding the results:

Red X:  Project Role

Red X:  User Custom Field Value

Green Check:  JIRA Service Desk, with the note:  JIRA service desk does not override this permission

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.